Unsealing with Auto Unseal

How Auto Unseal Works
Supported Auto Unseal Providers
Configuration Example: AWS KMS
Links and References

Auto unseal removes the manual overhead of key-shares at startup by delegating master key encryption and decryption to an external Key Management Service (KMS) or Hardware Security Module (HSM). This streamlines Vault operations, improves reliability, and ensures high availability.

How Auto Unseal Works

Master Key Encryption
Vault encrypts its master key with a key stored in an external KMS/HSM instead of splitting it into manual key-share shards. Supported providers include cloud KMSes (AWS KMS, Azure Key Vault, Google Cloud KMS) and on-prem HSMs.
Storage Backend
The encrypted master key is persisted in your chosen storage backend (Consul, etcd, S3, etc.).
Service Startup / Restart
When Vault boots or restarts, it:
- Reads the encrypted master key from storage.
- Calls out to the configured KMS/HSM to decrypt the master key.
- Uses the decrypted master key to unlock the data encryption key (DEK).
- Loads the DEK into memory to access and serve secrets.
Automatic Unseal
No operator action is needed. As soon as Vault initializes, it retrieves and decrypts its master key via the KMS/HSM and completes the unseal process automatically.

Auto unseal works with both open-source and Enterprise Vault. Since Vault 1.0, this feature is available in the open-source edition.

Supported Auto Unseal Providers

Provider	Seal Stanza	Documentation
AWS KMS	seal “awskms”	https://www.vaultproject.io/docs/secrets/aws#auto-unseal-using-aws-kms
Azure Key Vault	seal “azurekeyvault”	https://www.vaultproject.io/docs/secrets/azure#auto-unseal-using-azure-kv
Google Cloud KMS	seal “gcpckms”	https://www.vaultproject.io/docs/secrets/gcp#auto-unseal-using-gcp-kms
AliCloud KMS	seal “alicloudkms”	https://www.vaultproject.io/docs/secrets/alicloud#auto-unseal
On-prem HSM (PKCS#11)	seal “pkcs11”	https://www.vaultproject.io/docs/secrets/pkcs11#auto-unseal-using-pkcs11-hsm

Configuration Example: AWS KMS

Add the seal stanza beneath your global configuration to enable AWS KMS auto unseal:

storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault/"
}

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
}

seal "awskms" {
  region     = "us-east-1"       # AWS region where the KMS key resides
  kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd-1234" 
}

api_addr = "https://<VAULT_IP>:8200"
ui       = true

seal “awskms”: Configures AWS KMS as the unseal mechanism.
region: The AWS region where your KMS key exists.
kms_key_id: The full ARN or key ID of the KMS key used to encrypt/decrypt the Vault master key.

Do not commit your kms_key_id (or any credentials) into source control. Use environment variables or a secrets management workflow to inject sensitive data.

You can swap out "awskms" for any of the other supported providers by updating the seal stanza accordingly.

Links and References

Watch Video

Demo Unsealing with Key Shards

Demo Unsealing with Auto Unseal

⌘I

Introduction

Introduction to Vault

Learning the Vault Architecture

Installing Vault

Compare Authentication Methods

Create Vault Policies

Assess Vault Tokens

Compare and Configure Secrets Engines

Vault Agent

Vault Replication

Unsealing with Auto Unseal

How Auto Unseal Works

Supported Auto Unseal Providers

Configuration Example: AWS KMS

Links and References

Watch Video

Introduction

Introduction to Vault

Learning the Vault Architecture

Installing Vault

Compare Authentication Methods

Create Vault Policies

Assess Vault Tokens

Compare and Configure Secrets Engines

Vault Agent

Vault Replication

​How Auto Unseal Works

​Supported Auto Unseal Providers

​Configuration Example: AWS KMS

​Links and References

Watch Video

How Auto Unseal Works

Supported Auto Unseal Providers

Configuration Example: AWS KMS

Links and References